diff --git a/.github/vale/config/vocabularies/Docker/accept.txt b/.github/vale/config/vocabularies/Docker/accept.txt index 775f1cf3daca..e7c093a619ca 100644 --- a/.github/vale/config/vocabularies/Docker/accept.txt +++ b/.github/vale/config/vocabularies/Docker/accept.txt @@ -114,6 +114,7 @@ Wasm Windows Zsh [Bb]uildx +[Cc]odenames? [Cc]ompose [Dd]istros [Ff]ilepaths? @@ -129,6 +130,7 @@ Zsh [Ss]andbox(ed)? [Ss]wappable [Ss]warm +[Tt]oolchains? [Vv]irtualize [Ww]alkthrough cgroup @@ -138,8 +140,8 @@ deserialization deserialize dockerignore firewalld +g?libc gRPC -glibc inotify iptables kubectl diff --git a/content/build/building/base-images.md b/content/build/building/base-images.md index 752045b2428e..258d1b77a11b 100644 --- a/content/build/building/base-images.md +++ b/content/build/building/base-images.md @@ -111,4 +111,4 @@ There are lots of resources available to help you write your `Dockerfile`. * There's a [complete guide to all the instructions](../../reference/dockerfile.md) available for use in a `Dockerfile` in the reference section. * To help you write a clear, readable, maintainable `Dockerfile`, we've also written a [Dockerfile best practices guide](../../develop/develop-images/dockerfile_best-practices.md). -* If your goal is to create a new Docker Official Image, read [Docker Official Images](../../trusted-content/official-images.md). +* If your goal is to create a new Docker Official Image, read [Docker Official Images](../../trusted-content/official-images/_index.md). diff --git a/content/develop/develop-images/dockerfile_best-practices.md b/content/develop/develop-images/dockerfile_best-practices.md index a4655a1b223e..08cf2f7acda5 100644 --- a/content/develop/develop-images/dockerfile_best-practices.md +++ b/content/develop/develop-images/dockerfile_best-practices.md @@ -48,7 +48,7 @@ deleting files, are written to this writable container layer. * [Dockerfile reference](../../reference/dockerfile.md) * [More about Automated builds](../../docker-hub/builds/index.md) -* [Guidelines for creating Docker Official Images](../../trusted-content/official-images.md) +* [Guidelines for creating Docker Official Images](../../trusted-content/official-images/_index.md) * [Best practices to containerize Node.js web applications with Docker](https://snyk.io/blog/10-best-practices-to-containerize-nodejs-web-applications-with-docker) * [More about base images](../../build/building/base-images.md) * [More on image layers and how Docker builds and stores images](../../storage/storagedriver/index.md). diff --git a/content/develop/security-best-practices.md b/content/develop/security-best-practices.md index 150a6ca2c72c..d6474d408da7 100644 --- a/content/develop/security-best-practices.md +++ b/content/develop/security-best-practices.md @@ -21,7 +21,7 @@ image. When choosing an image, ensure it's built from a trusted source and keep it small. Docker Hub has more than 8.3 million repositories. Some of these images are -[Official Images](../trusted-content/official-images.md), which are published by +[Official Images](../trusted-content/official-images/_index.md), which are published by Docker as a curated set of Docker open source and drop-in solution repositories. Docker also offers images that are published by [Verified Publishers](../trusted-content/dvp-program.md). These high-quality images diff --git a/content/docker-hub/repos/access.md b/content/docker-hub/repos/access.md index 66f0d7b7c953..6622bef9d0cd 100644 --- a/content/docker-hub/repos/access.md +++ b/content/docker-hub/repos/access.md @@ -65,7 +65,7 @@ In the previous example, you can see two example results, `centos` and `ansible/ The second result shows that it comes from the public repository of a user, named `ansible/`, while the first result, `centos`, doesn't explicitly list a repository which means that it comes from the top-level namespace for -[Docker Official Images](../../../trusted-content/official-images.md). +[Docker Official Images](../../trusted-content/official-images/_index.md). The `/` character separates a user's repository from the image name. Once you've found the image you want, you can download it with `docker pull `: diff --git a/content/security/security-announcements.md b/content/security/security-announcements.md index 5e4938f5c707..23540af1e536 100644 --- a/content/security/security-announcements.md +++ b/content/security/security-announcements.md @@ -35,7 +35,7 @@ If you are using affected versions of runc, BuildKit, Moby, or Docker Desktop, m If you are unable to update to an unaffected version promptly, follow these best practices to mitigate risk: -* Only use trusted Docker images (such as [Docker Official Images](../trusted-content/official-images.md)). +* Only use trusted Docker images (such as [Docker Official Images](../trusted-content/official-images/_index.md)). * Don’t build Docker images from untrusted sources or untrusted Dockerfiles. * If you are a Docker Business customer using Docker Desktop and unable to update to v4.27.1, make sure to enable [Hardened Docker Desktop](../desktop/hardened-desktop/_index.md) features such as: * [Enhanced Container Isolation](../desktop/hardened-desktop/enhanced-container-isolation/_index.md), which mitigates the impact of CVE-2024-21626 in the case of running containers from malicious images. @@ -116,7 +116,7 @@ the Text4Shell CVE in the vulnerability report. For detailed instructions, see [ ### Docker Official Images impacted by CVE-2022-42889 -A number of [Docker Official Images](../trusted-content/official-images.md) contain the vulnerable versions of +A number of [Docker Official Images](../trusted-content/official-images/_index.md) contain the vulnerable versions of Apache Commons Text. The following lists Docker Official Images that may contain the vulnerable versions of Apache Commons Text: @@ -169,7 +169,7 @@ Log4j 2 CVE in the vulnerability report. For detailed instructions, see [Scan im _Last updated December 2021_ -A number of [Docker Official Images](../trusted-content/official-images.md) contain the vulnerable versions of +A number of [Docker Official Images](../trusted-content/official-images/_index.md) contain the vulnerable versions of Log4j 2 CVE-2021-44228. The following table lists Docker Official Images that may contained the vulnerable versions of Log4j 2. We updated Log4j 2 in these images to the latest version. Some of these images may not be vulnerable for other reasons. We recommend that you also review the guidelines published on the upstream websites. diff --git a/content/trusted-content/images/supported_tags.webp b/content/trusted-content/images/supported_tags.webp new file mode 100644 index 000000000000..2eff4d3c9d32 Binary files /dev/null and b/content/trusted-content/images/supported_tags.webp differ diff --git a/content/trusted-content/official-images.md b/content/trusted-content/official-images.md deleted file mode 100644 index 8f9c89a323d6..000000000000 --- a/content/trusted-content/official-images.md +++ /dev/null @@ -1,95 +0,0 @@ ---- -description: Guidelines for Official Images on Docker Hub -keywords: Docker, docker, registry, accounts, plans, Dockerfile, Docker Hub, docs, - official,image, documentation -title: Docker Official Images -aliases: -- /docker-hub/official_repos/ -- /docker-hub/official_images/ ---- - -The [Docker Official Images](https://hub.docker.com/search?q=&type=image&image_filter=official) are a -curated set of Docker repositories hosted on Docker Hub. - -These images provide essential base repositories that serve as the starting point for the majority of users. - -These include operating systems such as [Ubuntu](https://hub.docker.com/_/ubuntu/) and [Alpine](https://hub.docker.com/_/alpine/), programming languages such as [Python](https://hub.docker.com/_/python) and [Node](https://hub.docker.com/_/node), and other essential tools such as [Redis](https://hub.docker.com/_/redis) and [MySQL](https://hub.docker.com/_/mysql). - -The images are some of the [most secure images](https://www.docker.com/blog/enhancing-security-and-transparency-with-docker-official-images/) on Docker Hub. This is particularly important as Docker Official Images are some of the most popular on Docker Hub. Typically, Docker Official images have few or no vulnerabilities. - -The images exemplify [`Dockerfile` best practices](/engine/userguide/eng-image/dockerfile_best-practices/) and provide clear documentation to serve as a reference for other `Dockerfile` authors. - -Images that are part of this program have a special badge on Docker Hub making it easier for you to identify projects that are official Docker images. - -![Docker official image badge](images/official-image-badge-iso.png) - -## When to use Docker Official Images - -If you are new to Docker, it's recommended you use the Docker Official Images in your -projects. These images have clear documentation, promote best practices, -and are designed for the most common use cases. Advanced users can -review Docker Official Images as part of your `Dockerfile` learning process. - -A common rationale for diverging from Docker Official Images is to optimize for -image size. For instance, many of the programming language stack images contain -a complete build toolchain to support installation of modules that depend on -optimized code. An advanced user could build a custom image with just the -necessary pre-compiled libraries to save space. - -A number of language stacks such as -[Python](https://hub.docker.com/_/python/) and -[Ruby](https://hub.docker.com/_/ruby/) have `-slim` tag variants -designed to fill the need for optimization. Even when these "slim" variants are -insufficient, it's still recommended to inherit from an Official Image -base OS image to leverage the ongoing maintenance work, rather than duplicating -these efforts. - -## Submitting feedback for Docker Official Images - -All Docker Official Images contain a **User Feedback** section in their -documentation which covers the details for that specific repository. In most -cases, the GitHub repository which contains the Dockerfiles for an Official -Repository also has an active issue tracker. General feedback and support -questions should be directed to `#docker-library` on [Libera.Chat IRC](https://libera.chat). - -## For content publishers - -Docker, Inc. sponsors a dedicated team that's responsible for reviewing and -publishing all content in Docker Official Images. This team works in -collaboration with upstream software maintainers, security experts, and the -broader Docker community. - -While it's preferable to have upstream software authors maintaining their -Docker Official Images, this isn't a strict requirement. Creating -and maintaining images for Docker Official Images is a collaborative process. It takes -place openly on GitHub where participation is encouraged. Anyone can provide -feedback, contribute code, suggest process changes, or even propose a new -Official Image. - -> **Note** -> -> Docker Official Images are an intellectual property of Docker. - -### Creating a Docker Official Image - -From a high level, an Official Image starts out as a proposal in the form -of a set of GitHub pull requests. The following GitHub repositories detail the proposal requirements: - -- [docker-library/official-images](https://github.com/docker-library/official-images) -- [docker-library/docs](https://github.com/docker-library/docs) - -The Docker Official Images team, with help from community contributors, formally -review each proposal and provide feedback to the author. This initial review -process may require a bit of back-and-forth before the proposal is accepted. - -There are subjective considerations during the review process. These -subjective concerns boil down to the basic question: "is this image generally -useful?" For example, the [Python](https://hub.docker.com/_/python/) -Docker Official Image is "generally useful" to the larger Python developer -community, whereas an obscure text adventure game written in Python last week is -not. - -Once a new proposal is accepted, the author is responsible for keeping -their images up-to-date and responding to user feedback. The Official -Repositories team becomes responsible for publishing the images and -documentation on Docker Hub. Updates to the Docker Official Image follow the same pull request process, though with less review. The Docker Official Images team ultimately acts as a gatekeeper for all changes, which helps mitigate the risk of quality and security issues from being introduced. diff --git a/content/trusted-content/official-images/_index.md b/content/trusted-content/official-images/_index.md new file mode 100644 index 000000000000..06d7ba5c57aa --- /dev/null +++ b/content/trusted-content/official-images/_index.md @@ -0,0 +1,40 @@ +--- +description: Guidelines for Official Images on Docker Hub +keywords: Docker, docker, registry, accounts, plans, Dockerfile, Docker Hub, docs, + official,image, documentation +title: Docker Official Images +aliases: +- /docker-hub/official_repos/ +- /docker-hub/official_images/ +--- + +The [Docker Official Images](https://hub.docker.com/search?q=&type=image&image_filter=official) +are a curated set of Docker repositories hosted on Docker Hub. + +These images provide essential base repositories that serve as the starting +point for the majority of users. + +These include operating systems such as +[Ubuntu](https://hub.docker.com/_/ubuntu/) and +[Alpine](https://hub.docker.com/_/alpine/), programming languages such as +[Python](https://hub.docker.com/_/python) and +[Node](https://hub.docker.com/_/node), and other essential tools such as +[memcached](https://hub.docker.com/_/memcached) and +[MySQL](https://hub.docker.com/_/mysql). + +The images are some of the [most secure images](https://www.docker.com/blog/enhancing-security-and-transparency-with-docker-official-images/) +on Docker Hub. This is particularly important as Docker Official Images are +some of the most popular on Docker Hub. Typically, Docker Official images have +few or no vulnerabilities. + +The images exemplify [`Dockerfile` best practices](../../develop/develop-images/dockerfile_best-practices.md) +and provide clear documentation to serve as a reference for other `Dockerfile` authors. + +Images that are part of this program have a special badge on Docker Hub making +it easier for you to identify projects that are official Docker images. + +![Docker official image badge](../images/official-image-badge-iso.png) + +## In this section + +{{% sectionlinks %}} diff --git a/content/trusted-content/official-images/contributing.md b/content/trusted-content/official-images/contributing.md new file mode 100644 index 000000000000..b250ceba1d72 --- /dev/null +++ b/content/trusted-content/official-images/contributing.md @@ -0,0 +1,55 @@ +--- +title: Contributing to Docker Official Images +description: | + This article describes how Docker Official Images are created, + and how you can contribute or leave feedback. +keywords: docker official images, doi, contributing, upstream, open source +--- + +Docker, Inc. sponsors a dedicated team that's responsible for reviewing and +publishing all content in Docker Official Images. This team works in +collaboration with upstream software maintainers, security experts, and the +broader Docker community. + +While it's preferable to have upstream software authors maintaining their +Docker Official Images, this isn't a strict requirement. Creating +and maintaining images for Docker Official Images is a collaborative process. +It takes place [openly on GitHub](https://github.com/docker-library/official-images) +where participation is encouraged. Anyone can provide feedback, contribute +code, suggest process changes, or even propose a new Official Image. + +> **Note** +> +> Docker Official Images are the intellectual property of Docker. + +## Creating a Docker Official Image + +From a high level, an Official Image starts out as a proposal in the form +of a set of GitHub pull requests. The following GitHub repositories detail the proposal requirements: + +- [Docker Official Images repository on GitHub](https://github.com/docker-library/official-images) +- [Documentation for Docker Official Images](https://github.com/docker-library/docs) + +The Docker Official Images team, with help from community contributors, formally +review each proposal and provide feedback to the author. This initial review +process may require a bit of back-and-forth before the proposal is accepted. + +There are subjective considerations during the review process. These +subjective concerns boil down to the basic question: "is this image generally +useful?" For example, the [Python](https://hub.docker.com/_/python/) +Docker Official Image is "generally useful" to the larger Python developer +community, whereas an obscure text adventure game written in Python last week is +not. + +Once a new proposal is accepted, the author is responsible for keeping +their images up-to-date and responding to user feedback. The Official +Repositories team becomes responsible for publishing the images and +documentation on Docker Hub. Updates to the Docker Official Image follow the same pull request process, though with less review. The Docker Official Images team ultimately acts as a gatekeeper for all changes, which helps mitigate the risk of quality and security issues from being introduced. + +## Submitting feedback for Docker Official Images + +All Docker Official Images contain a **User Feedback** section in their +documentation which covers the details for that specific repository. In most +cases, the GitHub repository which contains the Dockerfiles for an Official +Repository also has an active issue tracker. General feedback and support +questions should be directed to `#docker-library` on [Libera.Chat IRC](https://libera.chat). diff --git a/content/trusted-content/official-images/using.md b/content/trusted-content/official-images/using.md new file mode 100644 index 000000000000..1f409289b2b5 --- /dev/null +++ b/content/trusted-content/official-images/using.md @@ -0,0 +1,84 @@ +--- +title: Using Docker Official Images +description: | + Learn about building applications with Docker Official images + and how to interpret the tag names they use. +keywords: docker official images, doi, tags, slim, feedback, troubleshooting +weight: 10 +--- + +If you are new to Docker, it's recommended you use the Docker Official Images +in your projects. These images have clear documentation, promote best +practices, and are designed for the most common use cases. Advanced users can +review Docker Official Images as part of your `Dockerfile` learning process. + +A common rationale for diverging from Docker Official Images is to optimize for +image size. For instance, many of the programming language stack images contain +a complete build toolchain to support installation of modules that depend on +optimized code. An advanced user could build a custom image with just the +necessary pre-compiled libraries to save space. + +## Tags + +The repository description for each Docker Official Image contains a +**Supported tags and respective Dockerfile links** section that lists all the +current tags with links to the Dockerfiles that created the image with those +tags. The purpose of this section is to show what image variants are available. + +![Supported tags for Ubuntu](../images/supported_tags.webp) + +Tags listed on the same line all refer to the same underlying image. Multiple +tags can point to the same image. For example, in the `ubuntu` Docker Official +Images repository, the tags `24.04`, `noble-20240225`, `noble`, and `devel` all +refer to the same image. + +The `latest` tag for a Docker Official Image is often optimized for ease of use +and includes a wide variety of useful software, such as Git and build tools. +Because of their ease of use and wide applicability, `latest` images are often +used in getting-started guides, but they're not recommended for production use. + +## Slim images + +A number of language stacks such as +[Python](https://hub.docker.com/_/python/) and +[Ruby](https://hub.docker.com/_/ruby/) have `slim` tag variants +designed to fill the need for optimization. Even when these `slim` variants are +insufficient, it's still recommended to inherit from an Official Image +base OS image to leverage the ongoing maintenance work, rather than duplicating +these efforts. + +## Alpine + +Many Docker Official Images repositories also offer `alpine` variants. These +images are built on top of the Alpine Linux distribution rather than Debian or +Ubuntu. Alpine Linux is focused on providing a small, simple, and secure base +for container images, and Docker Official Images `alpine` variants typically +aim to install only necessary packages. As a result, Docker Official Images +`alpine` variants are typically even smaller than `slim` variants. For example, +the `linux/amd64 node:latest` image is 382 MB, whereas the `node:slim` image is +70 MB, and the `node:alpine` image is 47 MB. + +It's worth keeping in mind that Alpine Linux is based on musl libc, as opposed +to glibc, which is used by most other Linux distributions. This difference in C +implementations may influence how your program runs, depending on the type of +application you're building. With Alpine Linux, your program can't use +dynamically linked glibc objects, as those aren't available on musl. To run +your programs on Alpine Linux, you can: + +- Compile your program against musl libc +- Statically link glibc libraries into your program +- Avoid C dependencies altogether (for example, build Go programs without CGO) +- Install a glibc compatibility layer manually, alongside musl + +## Codenames + +Tags with words that look like Toy Story characters (for example, `bookworm`, +`bullseye`, and `trixie`) or adjectives (such as `focal`, `jammy`, and +`noble`), indicate the codename of the Linux distribution they use as a base +image. Debian-release codenames are [based on Toy Story characters](https://en.wikipedia.org/wiki/Debian_version_history#Naming_convention), +and Ubuntu's take the form of "Adjective Animal". For example, the +codename for Ubuntu 24.04 is "Noble Numbat". + +Linux distribution indicators are helpful because many Docker Official Images +provide variants built upon multiple underlying distribution versions (for +example, `postgres:bookworm` and `postgres:bullseye`). diff --git a/data/toc.yaml b/data/toc.yaml index df85a750fe7c..7c0743df455d 100644 --- a/data/toc.yaml +++ b/data/toc.yaml @@ -2208,8 +2208,14 @@ Manuals: section: - path: /trusted-content/ title: Overview - - path: /trusted-content/official-images/ - title: Docker Official images + - sectiontitle: Docker Official Images + section: + - path: /trusted-content/official-images/ + title: Overview + - path: /trusted-content/official-images/using/ + title: Using official images + - path: /trusted-content/official-images/contributing/ + title: Contributing - path: /trusted-content/dvp-program/ title: Docker Verified Publisher Program - path: /trusted-content/dsos-program/